Secure Programming Lab 3: Solutions

Transcription

1 Secure Programming Lab 3: Solutions Rui Li, Arthur Chan and David Aspinall 14th March Metadata and privacy Checkpoint 1. Where did the metadata come from? Is any of the data concerning from a privacy perspective? Mostly from the image and the camera app, but also some from the connection to the server. Much could be seen as concerning: the make and model of the camera could be used to identify users if only one has that device. The GPS coordinates are obviously concerning. The base64 encoded username and IP address are worrying on a site that is essentially pseudo-anonymous. The user-agent gives quite precise Checkpoint 2. Pick a bit of metadata and describe how it could be used to attack, or deanonymise a user. Image Model: if only one person is using that device in your vicinity they re probably the user. Connecting-IP and User-Agent: gives you a target to attack and a hint at what software they may be running. Date Time and GPS: this person must be taking Secure Programming! Task: Some of the metadata has come from the EXIF tags embedded in the image. Modify the app to strip the EXIF tags. Have a look at android.media.exifinterface.setattribute(). Checkpoint 3. How accurate is the data? Where do the coordinates say the pictures were taken? Not very. The app is set up to use the last known coarse location. This could change with time however. You ll need to convert to decimal degrees and make the longitude negative since we re west of Greenwich. You can then plot them on Google Maps. I usually turn up on Dalrymple Crescent, about a mile from the Informatics Forum where the picture was taken. 2. Transport Security Checkpoint 4. Describe the size and format of the key. What is the certificate s chain of trust? For what sites is the key valid? It s an SSL certificate signed by a 2048 bit RSA key on a SHA256 Hash. The chain of trust goes: DST Root CA X3 -> Let s Encrypt Authority X3 -> infr11098.space The certificate is only valid for infr11098.space (the Common Name). Checkpoint 5. Many browsers have the certificate authority s certificates built in. In Firefox they can be found in the Certificates tab under Advanced in about:preferences. Find the CA certificates used to sign infr11098.space. 1

2 Essentially the certificates identified in checkpoint 3. Task: Modify the app to use the HTTPS protocol if the server address requires it. If an error occurs you should stop and report the message to the user. Essentially just switch the HttpURLConnection for an HttpsURLConnection. Some switching based on the url.getprotocol would be nice. Checkpoint 6. Does the connection still work? If not why not? Nope. The certificate is not valid for the ip address, it only valid for the domain name infr11908.space. That is not the domain embedded in the certificate, even though they both point to the same server. 3. Pinned Certificates Checkpoint 7. Think about the two attacks, and the work required for an attacker. What certificates would the attacker need for their deception to work with HTTPS? How might the user notice they were being attacked? Simple Approach: relies on user not spotting the typo. The attacker would need a certificate for their own domain, which should be easily available. Some browsers may report that the domain is probably not the one you intended to visit. MITM: relies on you tricking the user into installing your fake certificate, or getting a CA to issue you with a certificate (which they should not do). Users may notice the certificate is different if they are weirdly observant. DigiNotar were caught issuing bad certificates for google.com in The National Informatics Center of India and the Indian Controller of Certifying Authorities were caught in Task: Implement certificate pinning for the app and the server. Moxie Marlinspike (Ex-head of security at Twitter, and Open Whisper Systems founder) has written a library to do this. The code is freely available and is worth reading for a guide to doing it correctly

3 Android Pinning Source Code PinningTrustManager.java/ / Copyright (C) Moxie Marlinspike This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see < / package org.thoughtcrime.ssl.pinning; import android.util.log; import java.security.keystoreexception; import java.security.messagedigest; import java.security.nosuchalgorithmexception; import java.security.cert.certificateexception; import java.security.cert.x509certificate; import java.util.arrays; import java.util.collections; import java.util.hashset; import java.util.linkedlist; import java.util.list; import java.util.set; import javax.net.ssl.trustmanager; import javax.net.ssl.trustmanagerfactory; import javax.net.ssl.x509trustmanager; / A TrustManager implementation that enforces Certificate "pins." <p> PinningTrustManager is layered on top of the system's default TrustManager, such that the system continues to validate CA signatures for SSL connections as usual. Additionally, however, PinningTrustManager will enforce certificate constraints on the validated certificate chain. Specifically, it will ensure that one of an arbitrary number of specified SubjectPublicKeyInfos appears somewhere in the valid certificate chain. </p> <p> 3

4 To use: <pre> TrustManager[] trustmanagers = new TrustManager[1]; trustmanagers[0] = new PinningTrustManager(SystemKeyStore.getInstance(), new String[] {"f30012bbc18c231ac1a44b788e410ce ); SSLContext sslcontext = SSLContext.getInstance("TLS"); sslcontext.init(null, trustmanagers, null); HttpsURLConnection urlconnection = (HttpsURLConnection)new URL(" urlconnection.setsslsocketfactory(sslcontext.getsocketfactory()); InputStream in = urlconnection.getinputstream(); </pre> Moxie Marlinspike / public class PinningTrustManager implements X509TrustManager { private final TrustManager[] systemtrustmanagers; private final SystemKeyStore systemkeystore; private final long enforceuntiltimestampmillis; private final List<byte[]> pins = new LinkedList<byte[]>(); private final Set<X509Certificate> cache = Collections.synchronizedSet(new HashSet<X509Certificate public PinningTrustManager(SystemKeyStore keystore, String[] pins, long enforceuntiltimestampmilli / Constructs a PinningTrustManager with a set of valid keystore A SystemKeyStore that validation will be based pins An array of encoded pins to match a seen certificate chain against. A pin is a hex-encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the provided pin.py script: python./tools/pin.py enforceuntiltimestampmillis A timestamp (in milliseconds) when pins will stop being enforced. Normal non-pinned certificate validation will continue. Set this to some period after your build date, or to 0 to enforce pins forever. / this.systemtrustmanagers = initializesystemtrustmanagers(keystore); this.systemkeystore = keystore; this.enforceuntiltimestampmillis = enforceuntiltimestampmillis; for (String pin : pins) { this.pins.add(hexstringtobytearray(pin)); 4

5 private TrustManager[] initializesystemtrustmanagers(systemkeystore keystore) { try { final TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init(keystore.truststore); return tmf.gettrustmanagers(); catch (NoSuchAlgorithmException nsae) { throw new AssertionError(nsae); catch (KeyStoreException e) { throw new AssertionError(e); private boolean isvalidpin(x509certificate certificate) throws CertificateException { try { final MessageDigest digest = MessageDigest.getInstance("SHA1"); final byte[] spki = certificate.getpublickey().getencoded(); final byte[] pin = digest.digest(spki); for (byte[] validpin : this.pins) { if (Arrays.equals(validPin, pin)) { return true; return false; catch (NoSuchAlgorithmException nsae) { throw new CertificateException(nsae); private void checksystemtrust(x509certificate[] chain, String authtype) throws CertificateException { for (TrustManager systemtrustmanager : systemtrustmanagers) { ((X509TrustManager) systemtrustmanager).checkservertrusted(chain, authtype); private void checkpintrust(x509certificate[] chain) throws CertificateException { if (enforceuntiltimestampmillis!= 0 && System.currentTimeMillis() > enforceuntiltimestampmillis) { Log.w("PinningTrustManager", "Certificate pins are stale, falling back to system trust."); return; final X509Certificate[] cleanchain = CertificateChainCleaner.getCleanChain(chain, systemkeystore for (X509Certificate certificate : cleanchain) { if (isvalidpin(certificate)) { 5

6 return; throw new CertificateException("No valid pins found in chain!"); public void checkclienttrusted(x509certificate[] chain, String authtype) throws CertificateException { throw new CertificateException("Client certificates not supported!"); public void checkservertrusted(x509certificate[] chain, String authtype) throws CertificateException { if (cache.contains(chain[0])) { return; // Note: We do this so that we'll never be doing worse than the default // system validation. It's duplicate work, however, and can be factored // out if we make the verification below more complete. checksystemtrust(chain, authtype); checkpintrust(chain); cache.add(chain[0]); public X509Certificate[] getacceptedissuers() { return null; private byte[] hexstringtobytearray(string s) { final int len = s.length(); final byte[] data = new byte[len / 2]; for (int i = 0; i < len; i += 2) { data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16)); return data; public void clearcache() { cache.clear(); PinningSSLSocketFactory / 6

7 Copyright (C) Moxie Marlinspike This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see < / package org.thoughtcrime.ssl.pinning; import android.content.context; import org.apache.http.conn.ssl.sslsocketfactory; import org.apache.http.conn.ssl.x509hostnameverifier; import org.apache.http.params.httpconnectionparams; import org.apache.http.params.httpparams; import javax.net.ssl.sslcontext; import javax.net.ssl.sslsocket; import javax.net.ssl.trustmanager; import java.io.ioexception; import java.net.inetaddress; import java.net.inetsocketaddress; import java.net.socket; import java.security.keymanagementexception; import java.security.keystoreexception; import java.security.nosuchalgorithmexception; import java.security.unrecoverablekeyexception; / A standard Apache SSL Socket Factory that uses an pinning trust manager. <p> To use: <pre> String[] pins = new String[] {"40c5401d6f8cbaf08b00edefb1ee87d005b3b9cd"; SchemeRegistry schemeregistry = new SchemeRegistry(); schemeregistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); schemeregistry.register(new Scheme("https", new PinningSSLSocketFactory(getContext(),pins, 0), 44 HttpParams httpparams = new BasicHttpParams(); ClientConnectionManager connectionmanager = new ThreadSafeClientConnManager(httpParams, schemereg DefaultHttpClient httpclient = new DefaultHttpClient(connectionManager, httpparams); 7

8 HttpResponse response = httpclient.execute(new HttpGet(" </pre> Moxie Marlinspike / public class PinningSSLSocketFactory extends SSLSocketFactory { private final javax.net.ssl.sslsocketfactory pinningsocketfactory; / Constructs a PinningSSLSocketFactory with a set of valid pins An array of encoded pins to match a seen certificate chain against. A pin is a hex-encoded hash of a X.509 certificate's SubjectPublicKeyInfo. A pin can be generated using the provided pin.py script: python./tools/pin.py enforceuntiltimestampmillis A timestamp (in milliseconds) when pins will stop being enforced. Normal non-pinned certificate validation will continue. Set this to some period after your build date, or to 0 to enforce pins forever. / public PinningSSLSocketFactory(Context context, String[] pins, long enforceuntiltimestampmillis) throws UnrecoverableKeyException, KeyManagementException, NoSuchAlgorithmException, KeyStoreException { super(null); final TrustManager[] pinningtrustmanagers = initializepinningtrustmanagers(keystore, pins, enfor final SystemKeyStore keystore = SystemKeyStore.getInstance(context); final SSLContext pinningsslcontext = SSLContext.getInstance(TLS); pinningsslcontext.init(null, pinningtrustmanagers, null); this.pinningsocketfactory = public Socket createsocket() throws IOException { return public Socket connectsocket(final Socket sock, final String host, final int port, final InetAddress localaddress, int localport, final HttpParams params) throws IOException { final SSLSocket sslsock = (SSLSocket) ((sock!= null)? sock : createsocket()); if ((localaddress!= null) (localport > 0)) { if (localport < 0) { 8

9 localport = 0; sslsock.bind(new InetSocketAddress(localAddress, localport)); final int conntimeout = HttpConnectionParams.getConnectionTimeout(params); final int sotimeout = HttpConnectionParams.getSoTimeout(params); final InetSocketAddress remoteaddress = new InetSocketAddress(host, port); sslsock.connect(remoteaddress, conntimeout); sslsock.setsotimeout(sotimeout); try { SSLSocketFactory.STRICT_HOSTNAME_VERIFIER.verify(host, sslsock); catch (IOException iox) { try { sslsock.close(); catch (Exception ignored) { throw iox; return public Socket createsocket(final Socket socket, final String host, int port, final boolean autoclose) throws IOException { if (port == -1) { port = 443; final SSLSocket sslsocket = (SSLSocket) pinningsocketfactory.createsocket(socket, host, port, au SSLSocketFactory.STRICT_HOSTNAME_VERIFIER.verify(host, sslsocket); return public void sethostnameverifier(x509hostnameverifier hostnameverifier) { throw new IllegalArgumentException("Only strict hostname verification (default) " + "is public X509HostnameVerifier gethostnameverifier() { return SSLSocketFactory.STRICT_HOSTNAME_VERIFIER; private TrustManager[] initializepinningtrustmanagers(systemkeystore keystore, 9

10 { String[] pins, long enforceuntiltimestampmillis) final TrustManager[] trustmanagers = new TrustManager[1]; trustmanagers[0] = new PinningTrustManager(keyStore, pins, enforceuntiltimestampmillis); return trustmanagers; 10